Pete Finnigan's Oracle Security Forum (
Oracle Security >> Oracle Security >> Password security policies
(Message started by: Pete Finnigan on Nov 21st, 2005, 7:28pm)

Title: Password security policies
Post by Pete Finnigan on Nov 21st, 2005, 7:28pm

I want to share the following poll with you. At  DBA-Village (, they asked the following question:

What are the password security policies in your production databases?

No policies, nothing verified, security is not an issue 24%
Checked this manually once or a few times       18%
Checked and no new users or changed passwords since then 9 %
Regular checks, manually                      19%
Strong (password verification function, automatic check scripts, ...) 30 %
There are 513 responses so far


So from the 513 reponses 24% (123)  don't have a password policy and, according with the question, they consider security not an issue!
Maybe the question is misleading. Maybe some sites don't have a password policy (Oracle 7 !?)  but this doesn't mean they don't  find security important.
Anyway, 30% do have a password policy and this I find not very high. Or am I wrong?
We are pressing Oracle all the time to improve their security features but it seems that  a great deal of the customers (us) don't care for them. I don't base this opinion just on the DBA-V poll but on what I read daily on , the OTN security forum and other sites. Security is still an after-thought .
Laws and regulations like SOX will change things but not everywhere. In the USA and some parts of Europa SOX is relevant but not for the rest of the world .
Pete has advocated for an open security standard for Oracle and I think he is right.   I don't expect that a security standard will automagically solve all security risks but at least people will have a starting point and will be forced to think about the risks.


Title: Re: Password security policies
Post by Pete Finnigan on Nov 22nd, 2005, 5:07pm
Hi Ivan,

Thanks for posting this. I read DBA-village most weeks from the newsletter that comes out but i did not see this yet. To be honest I am not surprised that the interest in password policies and security of databases in general is not very high. I find this all the time but it is changing, slowly.:-)

Forums like this and OTN are good places to make some noise about Oracle security and also to ask for new features. I was told that people in Oracle read my blog and sometimes take notice. If we keeop asking enough times it will improve )the security that is)



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board